<p>Rejecting requests with significant content length is a good practice to control the network traffic intensity and thus resource consumption in
order to prevent DoS attacks.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> size limits are not defined for the different resources of the web application. </li>
  <li> the web application is not protected by <a href="https://en.wikipedia.org/wiki/Rate_limiting">rate limiting</a> features. </li>
  <li> the web application infrastructure has limited resources. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
  <li> For most of the features of an application, it is recommended to limit the size of requests to:
    <ul>
      <li> lower or equal to 8mb for file uploads. </li>
      <li> lower or equal to 2mb for other requests. </li>
    </ul>  </li>
</ul>
<p>It is recommended to customize the rule with the limit values that correspond to the web application.</p>
<h2>Sensitive Code Example</h2>
<p>With default limit value of 8388608 (8MB).</p>
<p>A 100 MB file is allowed to be uploaded:</p>
<pre>
@Bean(name = "multipartResolver")
public CommonsMultipartResolver multipartResolver() {
  CommonsMultipartResolver multipartResolver = new CommonsMultipartResolver();
  multipartResolver.setMaxUploadSize(104857600); // Sensitive (100MB)
  return multipartResolver;
}

@Bean(name = "multipartResolver")
public CommonsMultipartResolver multipartResolver() {
  CommonsMultipartResolver multipartResolver = new CommonsMultipartResolver(); // Sensitive, by default if maxUploadSize property is not defined, there is no limit and thus it's insecure
  return multipartResolver;
}

@Bean
public MultipartConfigElement multipartConfigElement() {
  MultipartConfigFactory factory = new MultipartConfigFactory(); // Sensitive, no limit by default
  return factory.createMultipartConfig();
}
</pre>
<h2>Compliant Solution</h2>
<p>File upload size is limited to 8 MB:</p>
<pre>
@Bean(name = "multipartResolver")
public CommonsMultipartResolver multipartResolver() {
  multipartResolver.setMaxUploadSize(8388608); // Compliant (8 MB)
  return multipartResolver;
}
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
  <li> <a href="https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html">Owasp Cheat Sheet</a> - Owasp Denial of Service
  Cheat Sheet </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
  Misconfiguration</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/770">CWE-770 - Allocation of Resources Without Limits or Throttling</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/400">CWE-400 - Uncontrolled Resource Consumption</a> </li>
</ul>

